summaryrefslogtreecommitdiff
path: root/libpod/container_inspect.go
diff options
context:
space:
mode:
authorcdoern <cdoern@redhat.com>2021-11-04 23:48:35 -0400
committercdoern <cdoern@redhat.com>2021-12-27 13:39:36 -0500
commit289270375a54c26b86f9e2d99aab18b427e56b88 (patch)
treeee7b7c5614e0ea07ddc4c41842602740e9c8f25c /libpod/container_inspect.go
parente06631d6c22f4d5b7a62f70ccdf623379a9d5fe7 (diff)
downloadpodman-289270375a54c26b86f9e2d99aab18b427e56b88.tar.gz
podman-289270375a54c26b86f9e2d99aab18b427e56b88.tar.bz2
podman-289270375a54c26b86f9e2d99aab18b427e56b88.zip
Pod Security Option support
Added support for pod security options. These are applied to infra and passed down to the containers as added (unless overridden). Modified the inheritance process from infra, creating a new function Inherit() which reads the config, and marshals the compatible options into an intermediate struct `InfraInherit` This is then unmarshaled into a container config and all of this is added to the CtrCreateOptions. Removes the need (mostly) for special additons which complicate the Container_create code and pod creation. resolves #12173 Signed-off-by: cdoern <cdoern@redhat.com>
Diffstat (limited to 'libpod/container_inspect.go')
-rw-r--r--libpod/container_inspect.go36
1 files changed, 23 insertions, 13 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go
index f72700ab6..792dfc58e 100644
--- a/libpod/container_inspect.go
+++ b/libpod/container_inspect.go
@@ -273,6 +273,27 @@ func (c *Container) GetInspectMounts(namedVolumes []*ContainerNamedVolume, image
return inspectMounts, nil
}
+// GetSecurityOptions retrives and returns the security related annotations and process information upon inspection
+func (c *Container) GetSecurityOptions() []string {
+ ctrSpec := c.config.Spec
+ SecurityOpt := []string{}
+ if ctrSpec.Process != nil {
+ if ctrSpec.Process.NoNewPrivileges {
+ SecurityOpt = append(SecurityOpt, "no-new-privileges")
+ }
+ }
+ if label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]; ok {
+ SecurityOpt = append(SecurityOpt, fmt.Sprintf("label=%s", label))
+ }
+ if seccomp, ok := ctrSpec.Annotations[define.InspectAnnotationSeccomp]; ok {
+ SecurityOpt = append(SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp))
+ }
+ if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok {
+ SecurityOpt = append(SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
+ }
+ return SecurityOpt
+}
+
// Parse mount options so we can populate them in the mount structure.
// The mount passed in will be modified.
func parseMountOptionsForInspect(options []string, mount *define.InspectMount) {
@@ -422,16 +443,14 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
hostConfig.GroupAdd = make([]string, 0, len(c.config.Groups))
hostConfig.GroupAdd = append(hostConfig.GroupAdd, c.config.Groups...)
- hostConfig.SecurityOpt = []string{}
if ctrSpec.Process != nil {
if ctrSpec.Process.OOMScoreAdj != nil {
hostConfig.OomScoreAdj = *ctrSpec.Process.OOMScoreAdj
}
- if ctrSpec.Process.NoNewPrivileges {
- hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
- }
}
+ hostConfig.SecurityOpt = c.GetSecurityOptions()
+
hostConfig.ReadonlyRootfs = ctrSpec.Root.Readonly
hostConfig.ShmSize = c.config.ShmSize
hostConfig.Runtime = "oci"
@@ -456,15 +475,6 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named
if ctrSpec.Annotations[define.InspectAnnotationInit] == define.InspectResponseTrue {
hostConfig.Init = true
}
- if label, ok := ctrSpec.Annotations[define.InspectAnnotationLabel]; ok {
- hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("label=%s", label))
- }
- if seccomp, ok := ctrSpec.Annotations[define.InspectAnnotationSeccomp]; ok {
- hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("seccomp=%s", seccomp))
- }
- if apparmor, ok := ctrSpec.Annotations[define.InspectAnnotationApparmor]; ok {
- hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, fmt.Sprintf("apparmor=%s", apparmor))
- }
}
// Resource limits